Troubleshooting group policies

You should now be able to understand how to perform basic troubleshooting of Group group policies in Windows 10. We are not going to deep dive into every Group Policy because that is too much to cover in this book.

In general, when we refer to Group Policy, we are referring to Group Policy Objects (GPO) that contain Group Policy settings that are created by you as an IT administrator and are deployed to devices in a domain environment. Local Group Policy refers to policy settings that are locally administered and configured. A Group Policy can fail when applied to a Windows 10 device and there can be many reasons for this, such as incorrect GPO settings or a poor network connection.

Before you start investigating failed group policies, you can do a preliminary check in the following areas:

• Group Policy Client Service: Check whether this service has the status Running or Automatic in the Services.msc utility.
• Network Connection: Verify the network connection.
• Time: The time difference between the client and the server needs to be within five minutes of the time on the server.

To investigate these issues, you can use different tools, such as the Resultant Set of Policy (RsoP.msc) tool and the Group Policy Result (GPResult) tool from the command line.

Resultant Set of Policy

The Resultant Set of Policy tool is a diagnostic tool that is built into Windows 10 and is used to check and troubleshoot group policy settings. With this tool, you can view which group policy is being applied to the computer and user, and you can identify which source the policy is coming from. Besides this, you can use the tool to simulate new or modified group policy objects for planning purposes.

There are two modes that the tool can be run in; these modes are as follows:

• Logging Mode: It generates a report of policy settings for users and computers.
• Planning Mode: It can be used for what-if scenarios.

For running the tool to determine the applied user and computer policy settings, follow the next steps:

1. Click Start, then type and select rsop.msc.
2. The Resultant Set of Policy window will open; it runs straight away and generates a report for the user and computer policy settings.
3. In the Resultant Set of Policy window, you can view the applied settings for your user account and your computer account:
   

   Figure 6.20 - The RSoP output window

4. To simulate group policy object settings, you can use the planning mode of the Resultant Set of Policy tool. You must open an empty Microsoft Management Console (MMC) and add the Resultant Set of Policy snap-in. In the MMC, select the Resultant Set of Policy and select the Generate Rsop Data from the Action menu. In the Resultant Set of Policy wizard, choose Planning mode and finish the wizard:

Figure 6.21 - The Resultant Set of Policy Planning mode option

After you have run the wizard, you can view the results. You can use this to review the policy settings if you want to implement new policies in your environment.

Important Note

Planning mode is only available when the computer is connected to an Active Directory environment.

Besides the Resultant Set of Policy tool, you also have the GPResult tool.

Learning about the GPResult tool

The GPResult command-line tool provides you with the relevant group policies that are applied to a user or a Windows 10 device. This tool creates a report that displays which GPOs are applied to a Windows 10 device and separates the user policies from the computer policies.

To see which GPOs are applied to your device, follow the next steps:

1. Right-click Start and select Windows PowerShell (Admin).
2. In the User Account Control dialog box, click Yes.
3. Type the following command and press Enter:

   gpresult /r

4. You should now see the RsoP data for your device, as shown in the following screenshot:
   

   Figure 6.22 - An example of the output from the gpresult command

5. The output of the previous command will display the applied GPOs, the order of the GPOs, the details of the GPOs, the last applied time of the GPOs, the domain and functional level of the device, the domain controller is used to issue the GPO, the network speed threshold, the security groups of the user and computer are members of, and the details of the GPO filtering.

You can use command-line switches to fine-tune the report, for example, a user or a computer only. A few examples of command-line switches are as follows:

• Display the applied GPOs to a specific user:

gpresult /r /scope:user

• Display the applied GPOs to a specific computer:

gpresult /r /scope:computer

• Generate an HTML report:

gpresult /h c:\gporeport.html

In this section, we learned how you can troubleshoot group policies. The most widely used tools for troubleshooting are the Resultant Set of Policies (RsoP) tool and the GPResult command-line tool. Group policies are reliable on our network infrastructure and the time difference between client and server.